Subscribe Now!

Prompted by the latest Kali update (the rolling Sana), I looked through all my USB stick and decided to update them all. One such stick has Tails, the privacy and anonymity minded OS on a stick with Tor and i2P, used by privacy advocates all over the world (including Edward Snowden).

Downloading Tails could not be easier, as all that’s needed is shown and explained on their website (see below).

Before downloading, take some reasonable precautions, such as making sure that your internet connection, router and DNS is unlikely to be compromised. How to do so is beyond the scope of this article, but Horowitz had some pointers back in 2014 (cw-eviltwin).

Counterintuitively, it may be safer to download via BitTorrent rather than straight from the website. Either way, upon downloading, you may “Decrypt and verify” the ISO image with GPG, as shown on their website (import their key in your GPG program, then Decrypt & Verify). This is important, especially if you’ll be trusting this with your privacy and/or anonymity.

If you see the above message, the ISO images is still correct. The warning signifies that you haven’t yet “trusted” their key by personally signing their key with your own key. The important part is making sure you have the correct key (from Tails developer) by checking against several sources. That’s what the link above attempts to show you.

Since this discussion is so important, we will mirror it below.

Tails signing key is actually already signed by the keys of several official developers of Debian, the operating system on which Tails is based. Debian makes an extensive use of OpenPGP and you can download the keys of all Debian developers by installing thedebian-keyring package. You can then verify the signatures those developers made with their own key on Tails signing key.

To download the Debian keyring you can do:

sudo apt-get install debian-keyring

To get a list of the signatures made by other people on Tails signing key you can do:

The lines ending with '[User ID not found]' are signatures made by keys you still don't have in your keyring. You could try to search for them in the Debian keyring by their key ID: the 16 digit code between the 'sig' tag and the date. You could for example do:

On the output, the status of the verification is indicated by a flag directly following the "sig" tag. A "!" indicates that the signature has been successfully verified, a "-" denotes a bad signature and a "%" is used if an error occurred while checking the signature (e.g. a non supported algorithm). For example, in the following output the signature of Stefano Zacchiroli on Tails signing key has been successfully verified:

When installing to a USB stick, what you need to choose is whether you want encrypted persistence or not, or, to put it simply, whether you want to keep data between sessions. This is a difficult question, as it inherently deals with the privacy and security vs convenience trade-off. If you do not want to retain data, you might want to consider burning to a read-only medium such as a DVD-ROM.

You need at least 4GB for encrypted persistence; if you only want the ISO burned, 2GB should suffice.

*(*This article is unfinished – it was scheduled to appear in the hope that it will be finished before, but since this message is here and until it is removed, the article is to be considered work in progress*)*.